Data Security Mandates Disadvantage Small BusinessLenard Testifies to House Subcommittee on Regulatory Burdens

WASHINGTON D.C. - A careful benefit-cost analysis should be performed when crafting federal data security regulations, stated Thomas Lenard, PFF Senior Fellow and Senior Vice President for Research, in testimony presented today before the U.S. House Committee on Small Business Subcommittee on Regulatory Reform and Oversight. In his testimony, Lenard concludes that data security regulations “impose a per unit burden that is inversely related to the size of the company” and “could have an adverse effect on competition, because they make it more difficult for firms to enter markets in which the use of personal information is important.” But Lenard noted that federal regulation preempting state laws would lower the cost incurred by small business.

Lenard urged the Subcommittee to closely examine the impact of data security regulations on small business, and identified a number of ways such regulations would disproportionately impact small firms:

Investment required to establish data security programs involves largely fixed costs that are not recoverable if a business fails, and that could ultimately deter start-ups and new entrants.

Having a "safe harbor" provision for firms that encrypt their data will disfavor small business because of the high fixed cost of such an undertaking.

The cost of notification programs are relatively fixed and therefore decline on a per unit basis according to the number being notified, placing smaller firms at a disadvantage. Also, if provisions are enacted that allow "alternative notices" according to number of individuals affected or cost, larger companies could avoid individual notification while smaller firms could not.

Without a pre-emptive federal regulation, companies will have to ensure they are in compliance with numerous state laws. The cost associated with familiarizing a business with various state laws is also fixed, disproportionately burdening small firms.

Regulation of the information sector, including data security regulation, raises the cost of obtaining customer lists. That cost, which again would have a greater affect on small firms than for larger established businesses, could discourage new entrants.

Lenard concluded that new data security regulations should not be discounted outright but reiterated that the Subcommittee should carefully consider a benefit-cost analysis to ensure the benefits of regulation are sufficient to justify the cost.

With his written testimony, Lenard included a study co-authored with Emory University Professor and PFF Adjunct Fellow Paul Rubin, which analyzed if data breach notification requirements would benefit consumers. Among the conclusions reached in the paper are: firms have strong market incentives to invest in data security; individual consumer benefits from data breach notifications are extremely small; indirect costs of data notification are incurred when consumers overreact and take harmful actions that impede the flow of information; and federal pre-emption of state notification laws will reduce the cost of compliance.